[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: MD5 compatibility with FreeBSD

Charlie Brady <cbrady@ind.tansu.com.au> wrote:
> All these patches (I think), fake a PAM conversation in order to check
> that a username/password combination that we have in hand is correct. Is
> there a good reason that something which does this task couldn't go
> straight into libpam_misc?

I spent quite a long time trying to do this before I wrote pam_checkpasswd
for qmail's pop daemon.

Checkpassword is something with similar aims to PAM, but which works by
splitting a suidroot process into the suid bit and the function-as-user
bit, with a glue-program that does the authentication before invoking
the secondary part of the program - change the glue-program and you can
change from vanilla passwords to shadowed passwords etc.

Mercifully, checkpassword expects the user and password to be squirted
in on file descriptor 3, so it was easier to write the glue section as
a program which interrogated PAM and a companion module which read the
username and password from fd3.

I mention this merely because it's an alternative to assuming that the
first non-hidden user-input request from PAM is the username, and that
the first hidden user-input request is the password - pam_checkpassword
sets PAM_USER and PAM_AUTHTOK directly.

I've updated http://www.mmm.co.uk/~warwick/pam, if you'd like a look.

.-----------------------------------. mailto:warwick@mmm.co.uk
! Tim Baverstock, Internet SysAdmin !   http://www.mmm.co.uk [/~warwick]
`-----------------------------------'   plan:"Level 1 RFC1149 compliance."

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []